19.5.Â Delegated Administration

A comprehensive permission delegation system allows
unprivileged users to perform ZFS
administration functions. For example, if each user's home
directory is a dataset, users can be given permission to create
and destroy snapshots of their home directories. A backup user
can be given permission to use replication features. A usage
statistics script can be allowed to run with access only to the
space utilization data for all users. It is even possible to
delegate the ability to delegate permissions. Permission
delegation is possible for each subcommand and most
properties.

19.5.1.Â Delegating Dataset Creation

zfs allow
someuser create
mydataset gives the
specified user permission to create child datasets under the
selected parent dataset. There is a caveat: creating a new
dataset involves mounting it. That requires setting the
FreeBSD vfs.usermountsysctl(8) to
1 to allow non-root users to mount a
file system. There is another restriction aimed at preventing
abuse: non-root
users must own the mountpoint where the file system is to be
mounted.

19.5.2.Â Delegating Permission Delegation

zfs allow
someuser allow
mydataset gives the
specified user the ability to assign any permission they have
on the target dataset, or its children, to other users. If a
user has the snapshot permission and the
allow permission, that user can then grant
the snapshot permission to other
users.